How Many Seconds Would It Take To Crack Your Password? 454
DillyTonto writes "Want to know how strong your password is? Count the number of characters and the type and calculate it yourself. Steve Gibson's Interactive Brute Force Password Search Space Calculator shows how dramatically the time-to-crack lengthens with every additional character in your password, especially if one of them is a symbol rather than a letter or number. Worst-case scenario with almost unlimited computing power for brute-forcing the decrypt: 6 alphanumeric characters takes 0.0000224 seconds to crack, 10 alpha/nums with a symbol takes 2.83 weeks."
Websites (Score:5, Interesting)
There's still websites out there that limit you to 8 characters maximum. When Citi held my student loans (studentloans.com), their website would just use the first 8 characters of whatever password you entered.... of course, the field would accept more and they wouldn't tell you this so the first time you went to log in, it was a very WTF moment because you'd get a Password Incorrect error even though the password matched the one you signed up with. It was one of the main reasons I was actually happy when they sold my loan to Sallie Mae six months ago.
This obvious is once again ignored... (Score:4, Interesting)
Anytime I read articles like this, I just assume someone is trying to see something...
The best way to limit an attack like this is to limit how fast the attempts can be made. Rerun his "test" when the server only allows one password submit ever 10 seconds and see how long it takes. More secure you say?? Well, after 5 bad attempts, lock the account for 30 minutes?? Please, however, never lock the account entirely like SOME companies do. That makes a script kiddies actions my problem...
Good passwords can never stop common sense computing procedures...
MS Office CD Key (Score:5, Interesting)
I worked on a random desktop rollout contract that was paying stupid amounts of money, and one evening I observed one of my fellow contractors entering his password.
clickity clickity clickity clickity...
I said "wow... hardcore password", he replied "yeah, I worked on a contract before this where we had to manually put in the MS Office CD Key across a few hundred desktops, so I've memorised it. It's now my go-to password"
Must have been the only time I've seen an MS CD-Key actually being wanted.
Pasting the first CD Key I could find on serials.ws (V4933-88FR7-9P3KK-D2QF4-9M9CM) into the GRC tool produced:
Online Attack Scenario:
(Assuming one thousand guesses per second) 68.45 thousand trillion trillion trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 6.84 hundred million trillion trillion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 6.84 hundred thousand trillion trillion centuries
Anyway, in actual practice: passphrases using 2-3 words. I've found that 4 words and above is a bit much. And writing down your password/passphrase on a post-it is not a bad thing so long as your obfuscate it!
Re:Ha! (Score:4, Interesting)
Re:oblig xkcd (Score:4, Interesting)
So your solution to the problem that nobody can remember randomized-per-character passwords is to massively increase the character set that people need to memorize? That's not helpful. The XKCD example was to show that it's possible to create easy to remember passwords that still have a whole bunch of entropy; the status of ASCII versus Unicode doesn't change anything at all in this regard. If anything, it makes the case for XKCD-style passwords even stronger.